Project Overview and context Scenario Nearly 50,000 Australians and 5000 federal public servants have had sensitive personal information exposed online as part of one of the nation's biggest ever...

Task 1: Data Security Requirements
In order to establish an in-house information security system, the Department of Finance needs to identify the information holdings or assets that require security and are critical to the success of the security plan. It needs to define the roles and responsibilities of the employees skilled to manage the security of the department’s information along with the secure encryption consultant. Once the team has been designated with personnel for the establishment of plan, a comprehensive threat assessment needs to be performed. This shall include threat identification and threat control policy. Subsequently, security countermeasures should be outlined to handle the threats and mitigate their impact. A consolidated security training program needs to be established which shall be periodically conducted among all the employees to ensure that the employees are aware of the importance of security of information and they acquire relevant knowledge and experience in handling minor issues that may cause threats thus contributing in establishing a secure environment. The security policy should include access control policy, backup policy and computer use policy.
Task 2: Security Plan
Assets Identification
· Networks connecting the department of Finance and Australian Electoral Commission.
· Material and Equipment including database, financial system, digital files, storage devices, computers
· Sensitive identifiable information and financial data like credit card information about Australian citizens and employees, of Department of Finance, Australian Electoral Commission.
· Hardware inventory information of each of the operational sites of the department.
· Each of the multiple locations of the organization.
Roles and Responsibilities
· Compliance officers shall be involved in the security team who should be skilled to control processes for responding to incidents, maintain documentation on procedures and policies for the finance department and ensure that the information security guidelines reach every employee.
· Data users including Australian citizens, employees of the department of finance, Workers of insurer AMP, utility UGL and Dutch multinational Robobank should be thoroughly aware of policies and guidelines on security so that they are capable of reporting suspicious activity, security breaches or any policy violation witnessed by them at any level.
· Data Center Administrators will be responsible for monitoring and restricting data access. They would be responsible for helping the security team in identifying which information is private, confidential or public so that the criteria for establishing accessibility can be set.
Threats Assessment
The threats to which the department of Finance may be exposed include several attacks. Social Engineering attacks cause the maximum number of security breaches today such as spear phishing, quid quo pro on computers. In these attacks, emails with malicious content or link with malware are sent to ignorant personnel. Clicking on such link triggers installation of malicious content onto the user’s system. Intentional attack is caused by attacker by impersonating as authorized personnel and gaining access to sensitive information. Password attacks are caused due to weak passwords or traffic interception through MITM attack. Another way of intruding into the system is by tracking key strokes of the employee. Internal attacks may be caused by disgruntled employees. Hardware may be pre-fitted from the manufacturer’s or distributer’s end with malware microchips with intent to breach the system of the Finance department and steal confidential information. Subsequently system vulnerabilities may cause serious threat to the system. Unpatched network devices like routers, servers and switches are another source of intrusion. They may not be configured to update automatically thus leading to eavesdropping and security breaches.
Threat Control and Security Countermeasures
Threat mentioned above can be controlled using authentication along with encryption technology as described in the following section. Multi-way authentication would be most suitable for securing the sensitive information since the data in question is of extremely high confidentiality for the country. Bring your own device (BYOD) policy should be restricted and strict standard should be followed by those who are allowed to BYOD. Adequate training should be provided to the employees and all other users of the system since they are...